Thursday, December 07, 2017

Mozilla Firefox Version 57.0.2 Released


FirefoxMozilla sent yet another update for Firefox Version 57 to the release channel, Version 57.0.2.

Fixed

  • Block old versions of G Data Endpoint Security for crashing Firefox on start up - Windows only (bug 1421991)
  • Fix a regression with WebGL and D3D9 - Windows only

    Update:

    To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

    References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Thursday, November 30, 2017

    Mozilla Firefox Version 57.0.1 Released


    FirefoxMozilla sent Firefox Version 57.0.1 to the release channel.

    Update:  The version update also included one Critical and two High security updates.


    Security vulnerabilities fixed in Firefox 57.0.1
    Critical:
     High:

    Fixed

    • Fix a video color distortion issue on YouTube and other video sites with some AMD devices (bug 1417442)
    • Fix an issue with prefs.js when the profile path has non-ascii characters (bug 1420427)
    • Various security fixes
    • Google map crashes on OSX with Intel HD Graphics 3000

    Changed

    • Block injection of a client library associated with the RealPlayer Free player which is known to cause performance problems in Firefox. (Bug 1418535)
      Update:

      To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

      References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Tuesday, November 28, 2017

      Pale Moon Version 27.6.2 Released


      Pale Moon
      Pale Moon has been updated to Version 27.6.2. This is a security and minor bugfix update. Details from the Release Notes:

      Changes/fixes:
      • Implemented the concept of so-called "cookie-averse document objects" which is a security&privacy measure that blocks certain web content from setting cookies. This mitigates cookie-injection, which might help against "hidden" cookie tracking.
      • Mitigated some domain name spoofing through IDN by using dotless-i and dotless-j with accents. (CVE-2017-7832)
        Pale Moon will display these kinds of spoofed domains in punycode now in the actual address bar. (See Identity Panel below)*
        Please note that the identity panel will always be able to help you on secure sites when IDNs are in use to notice potential spoofing, as opposed to relying on detection algorithms in the URL itself. As such, some other issues like CVE-2017-7833 are already mitigated by us.
      • Fixed an issue with mixed-content blocking. (CVE-2017-7835)
      • Added an extra check for the correct signature data type on certificates.
      • Added missing sanitization in exporting bookmarks to HTML. (CVE-2017-7840)
      • Fixed several crashes and memory safety hazards.
      *Identity Panel

      If you are visiting a phishing site using an IDN (International-character Domain Names) to try and spoof the original domain, this identity panel, since 27.3.0, will clearly display the "raw" code of the IDN (also called "punycode", a domain starting with "xn--") instead of what the site is trying to spoof:

      spoofed-epic.png


       Minimum system Requirements (Windows):
      • Windows Vista/Windows 7/8/10/Server 2008 or later
      • Windows Platform Update (Vista/7) strongly recommended
      • A processor with SSE2 instruction support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions for Windows:

      Update

      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Tuesday, November 14, 2017

      Microsoft Security Updates for November, 2017



      The November security release consists of 53 security updates in which 20 are listed as Critical, 30 are rated Important and 3 rated as Moderate. The November security release consists of security updates for the following software:
      • Internet Explorer
      • Microsoft Edge
      • Microsoft Windows
      • Microsoft Office and Microsoft Office Services and Web Apps
      • ASP.NET Core and .NET Core
      • Chakra Core
      The updates address Remote Code Execution, Information Disclosure, "Defense in Depth" (Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.), Denial of Service, Security Feature Bypass, Spoofing and Elevation of Privilege.

      For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

      Also see this month's Zero Day Initiative — The November 2017 Security Update Review by Dustin Childs in which he discusses ADV170020 - Microsoft Office Defense in Depth Update, CVE-2017-11830 - Device Guard Security Feature Bypass Vulnerability and CVE-2017-11877 - Microsoft Excel Security Feature Bypass Vulnerability.

      Known Issues

        Additional Update Notes

        • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
        • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
          Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
        • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

        References


          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...





          Adobe Shockwave Player Critical Update

          Shockwave Player
          Adobe has released a security update for Adobe Shockwave Player for Windows. This update resolves a critical memory corruption vulnerability that could lead to code execution.

          Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

          Release date: November 14, 2017
          Vulnerability identifier: APSB17-40
          CVE number: CVE-2017-11294
          Platform: Windows

          The newest version 12.3.1.201 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

          References


          Home
          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          Adobe Reader DC and Adobe Acrobat DC Security Updates Released

          Adobe

          Adobe has released security updates for Adobe Reader DC and Adobe Acrobat DC for Windows and Macintosh.  In addition, although Adobe Reader XI reached end-of-life last month, an update has also been released.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  

          Release date:  November 9, 2017
          Vulnerability identifier: APSB17-36
          Platform: Windows and Macintosh

          Update or Complete Download

          Update checks can be manually activated by choosing Help > Check for Updates.  Although Reader DC and Acrobat DC are both updated to the 2018.009.20044 version, the unexpected update for Adobe reader remains in the incremental version 11. 
          Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.


          References





          Home
          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...







          Adobe Flash Player Critical Security Update

          Adobe Flashplayer

          Adobe has released Version 27.0.0.187 of Adobe Flash Player.  The update addresses critical vulnerabilities that could lead to code execution for Microsoft Windows, Macintosh, Chrome and Linux.  The update also includes bug fixes.

          Release date:  November 14, 2017
          Vulnerability identifier: APSB17-33
          Platform: Windows and Macintosh

          Update:

          *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

            Verify Installation

            To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

            Do this for each browser installed on your computer.

            To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

            References



            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...









            Mozilla Firefox Version 57.0 Released with Security Updates


            FirefoxMozilla sent Firefox Version 57.0 to the release channel today.  The update includes four (4) security updates, 1 Critical, 1 High, 1 Moderate and 1 Low.  

            Update:  Firefox ESR version 52.5 has been released.

            With this release, "legacy" add-ons (XUL-based) will no longer function.  This update changes the add-ons system to the WebExtensions API. The Mozilla Add-ons portal will list only WebExtensions-compatible add-ons by default.  Legacy Extensions are listed separately located under Tools > Add-ons.  From there click "Find a Replacement"and check the three pages of available extensions.

            In addition, this update introduces the new Quantum engine (Firefox Quantum) which is replacing parts of parts of the familiar old Gecko engine.

            Security Updates
            • Critical Vulnerability: Can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
            • High Vulnerability:  Can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
            • Moderate:  Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
            • Low:  Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

            New

            • A completely new browsing engine, designed to take full advantage of the processing power in modern devices
            • A redesigned interface with a clean, modern appearance, consistent visual elements, and optimizations for touch screens
            • A unified address and search bar. New installs will see this unified bar. Learn how to add the stand-alone search bar to the toolbar
            • A revamped new tab page that includes top visited sites, recently visited pages, and recommendations from Pocket (in the US, Canada, and Germany)
            • An updated product tour to orient new and returning Firefox users
            • AMD VP9 hardware video decoder support for improved video playback with lower power consumption
            • An expanded section in preferences to manage all website permissions

            Changed

            • Firefox now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work. Learn more about our efforts to improve the performance and security of extensions
            • The browser's autoscroll feature, as well as scrolling by keyboard input and touch-dragging of scrollbars, now use asynchronous scrolling. These scrolling methods are now similar to other input methods like mousewheel, and provide a smoother scrolling experience
            • The content process now has a stricter security sandbox that blocks filesystem reading and writing on Linux, similar to the protections for Windows and macOS that shipped in Firefox 56
            • Middle mouse paste in the content area no longer navigates to URLs by default on Unix systems
            • Removed the toolbar Share button. If you relied on this feature, you can install the Share Backported extension instead.
            • Some older versions of the ATOK IME, including ATOK 2006, 2008, 2009 and 2010, can cause crashes and are therefore disabled on the Windows 64-bit version of Firefox Quantum. To fix those incompatibility issues, please use a newer version of ATOK or one of other IMEs.
            • The default font for Japanese text is now Meiryo

              Update:

              To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

              References




              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...

              Friday, November 10, 2017

              Lest We Forget

              Whether you call it Veteran's Day, Armistice Day or Remembrance Day, November 11th is a time to put aside politics and pay tribute to all who died for their country.  It is also a perfect time to thank the Veterans in whatever country you live in. 

              As in previous years, I am republishing my friend Canuk's last tribute and, once again, adding a special thank you to my friends "Phantom Phixer" and "Ghost".

              The comment Canuk posted provides one example of why he was a special person:
              "I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour.

              Despite anyone's thoughts of the current conflict in Iraq - opposition or agreement, we must always remember that these brave young men and women are fighting for a cause they also may or may not agree with. The huge difference between them and us is that they are putting their lives on the line 24/7 while we sit in our homes in comfort, using the freedom of speech previous warriors won for us, and for that they deserve our love, respect, and support."
              LEST WE FORGET




              We Shall Keep the Faith by Moira Michael, November 1918
              Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields. Flags courtesy of3DFlags.com









              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...



              Tuesday, November 07, 2017

              Pale Moon Version 27.6.0 Released With Security Updates


              Pale Moon
              Pale Moon has been updated to Version 27.6.0. This is a major development update. Details from the Release Notes:

              Security/privacy fixes:
              • Added an option to clear Site Connectivity Data (delete history).
              • Removed stale entries from the HSTS preload list, and improved generation/processing of it.
              • Removed undesired certificate issuer organization to common name fallback (if issuer org is empty).
              • Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures.
              • Worked around some more issues with broken Apple fonts.
              Changes/fixes:

              • Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering. As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
              • Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default.
              • Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt")
              • Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks.
                (enjoy your LOLcats again!)
              • Changed automatic updates over to the new infrastructure.
              • Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials.
              • Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort. (Issue #1423)
              • Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback.
              • Improved upmixing of mono sound for multi-channel setups.
              • Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads (Issue #1425)
              • Fixed "Remove from history" function from the downloads panel.
              • Forced focus on the address bar in new windows if the content is a blank/empty document.
              • Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click.
              • Further cleaned up the status bar code.
              • Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI)
              • Fixed image decoder calls to make sure the image load event doesn't fire prematurely.
              • Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
              • Updated WOFF2 code from upstream.
              • Updated the zlib compression library.
              • Made general improvements to internal code structure and spec adherence.
              • Fixed an issue with certain command-line parameters being used.
              • Updated the default theme to improve consistency and contrast of toolbar and download buttons.
              • Increased the default duration of notification pop-ups and made them configurable.
              • Improved handling of audio-visual media (ongoing).
              • Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space.
              • Aligned the implementation of for(let x=y;;) loops with the final ES6 specification.
              • Fixed the selection system inside of a nested contenteditable element being broken.
              • Fixed Windows 10 detection for blocklisting graphics drivers.
              • Enabled pasting of clipboard data in documents without an editor element to improve web compatibility.
              • Fixed the uninstallation routine of restartless add-ons.
              • Fixed the handling of unimplemented functions in the console API.
              • Updated the Facebook user-agent to enable otherwise vendor-restricted functionality.
              • Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues.
               Minimum system Requirements (Windows):
              • Windows Vista/Windows 7/8/10/Server 2008 or later
              • Windows Platform Update (Vista/7) strongly recommended
              • A processor with SSE2 instruction support
              • 256 MB of free RAM (512 MB or more recommended)
              • At least 150 MB of free (uncompressed) disk space
              Pale Moon includes both 32- and 64-bit versions for Windows:

              Update

              To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...


              Thursday, October 26, 2017

              Mozilla Firefox Version 56.0.2 Released


              FirefoxMozilla sent Firefox Version 56.0.2 to the release channel today.  The update includes several bug fixes.  There is no mention of the previously listed unresolved issues.

              Firefox ESR remains at version 52.4.0.

              Fixed

                  Previous Listed Unresolved Issues

                  • Due to a bug in Mac OS X High Sierra, fullscreen mode has some issues
                  • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
                  • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
                  • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

                  Update:

                  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                  References




                  Remember - "A day without laughter is a day wasted."
                  May the wind sing to you and the sun rise in your heart...

                  Wednesday, October 25, 2017

                  Another Adobe Flash Player Update

                  Adobe Flashplayer

                  Adobe has released Version 27.0.0.183 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                  The update does not include any security fixes.  Rather, it is to correct an important functional fix impacting Flex content.  If impacted, it is recommend the update be installed.  For those who have the option to 'Allow Adobe to install updates', the update will be automatic. 

                  Update:

                  *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                    Verify Installation

                    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                    Do this for each browser installed on your computer.

                    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                    References



                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...









                    Saturday, October 21, 2017

                    Adobe Reader XI and Acrobat XI -- End-of-Life

                    Adobe

                    Adobe provides product support from the general availability date of Adobe Acrobat and Adobe Reader for five years.  The five-year date was October 15, 2017, meaning Adobe Reader XI and Acrobat XI have reached end-of-life.  As a result, Adobe will no longer be providing technical support for those products.  This also includes both product and, more importantly, security updates.

                    If either or both of these programs are installed on your computer it is strongly advised that you uninstall them as soon as possible.  If you wish to stay with Adobe products, the Adobe Acrobat Reader DC can be downloaded from here.
                    Note: UNcheck any pre-checked additional options presented with the download. They are not part of the software and are completely optional.
                    If you use Windows 10, Microsoft Edge works great to read PDF documents.  In addition, new features are included in the Windows 10 Fall Creators Update.   See How Microsoft Edge will beat Chrome as the best PDF reader with the Fall Creators Update for additional information.

                    Another alternative is Sumatra PDF:
                    "Sumatra PDF is a free PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, Comic Book (CBZ and CBR) reader for Windows.
                    Sumatra PDF is powerful, small, portable and starts up very fast.
                    Simplicity of the user interface has a high priority."

                    h/t ky331

                    References

                    Adobe Acrobat XI and Adobe Reader XI End of Support
                    Adobe Support Lifecycle Policy,


                    Home
                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...







                    Wednesday, October 18, 2017

                    Oracle Java Critical Security Updates Released

                    java

                    Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains 22 new security fixes for Oracle Java SE.  Twenty-two (22) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  

                    Update

                    If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

                    Download Information

                    Java SE 8u151/ 8u152
                    Java™ SE Development Kit 8, Update 151 Release Notes
                    Java™ SE Development Kit 8, Update 152 Release Notes
                    Java SE Runtime Environment 8 - Downloads

                    Java SE 9.0.1  (x64-bit only)
                    Java™ SE Development Kit 9.0.1 Release Notes
                    Java SE Runtime Environment 9 - Downloads
                    Notes:
                    • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
                    • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
                    • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

                    Critical Patch Updates

                    For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
                    • 16 January 2018
                    • 17 April 2018
                    • 17 July 2018
                    • 16 October 2018

                    Unwanted "Extras"

                    Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

                    Do the following to suppress the sponsor offers:
                    1. Launch the Windows Start menu
                    2. Click on Programs
                    3. Find the Java program listing
                    4. Click Configure Java to launch the Java Control Panel
                    5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
                    6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
                    Java suppress sponsor offers

                    Java Security Recommendations

                    1)  In the Java Control Panel, at minimum, set the security to high.
                    2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

                    3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

                    References




                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...




                    Monday, October 16, 2017

                    Adobe Flash Player Out-of-Band Critical Security Update

                    Adobe Flashplayer

                    Adobe has released Version 27.0.0.170 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                    The critical update addresses a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

                    Release date:  October 16, 2017
                    Vulnerability identifier: APSB17-32
                    CVE Numbers:   CVE-2017-11292
                    Platform: Windows, Macintosh, Linux and Chrome OS

                    Update:

                    *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                      Verify Installation

                      To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                      Do this for each browser installed on your computer.

                      To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                      References



                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...









                      Tuesday, October 10, 2017

                      Microsoft Security Updates for October, 2017



                      The October security release consists of 62 security updates for the following software in which 27 are listed as Critical and 35 are rated Important. In particular, note that one CVE in Microsoft Office is listed as under active attack, and two other CVEs are listed as publically known prior to release.
                      • Internet Explorer
                      • Microsoft Edge
                      • Microsoft Windows
                      • Microsoft Office and Microsoft Office Services and Web Apps
                      • Skype for Business and Lync
                      • Chakra Core

                        Known Issues
                        The updates address Remote Code Execution, Information Disclosure, "Defense in Depth",Security Feature Bypass and Elevation of Privilege. Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.  In addition, Windows 10 1511 support ends today.

                        For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

                        CVEs addressed by Microsoft this month that deserve extra attention are discussed in Zero Day Initiative — The October 2017 Security Update Review by Dustin Childs.

                          Additional Update Notes

                          • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                          • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                            Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
                          • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                          References


                            Remember - "A day without laughter is a day wasted."
                            May the wind sing to you and the sun rise in your heart...





                            Adobe Flash Player Updates

                            Adobe Flashplayer

                            Adobe has released Version 27.0.0.159 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                            These updates address functionality bugs.

                            Release date:  October 10, 2017
                            Vulnerability identifier: APSB17-31
                            CVE Numbers:   None
                            Platform: Windows, Macintosh, Linux and Chrome OS

                            Update:

                            *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                              Verify Installation

                              To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                              Do this for each browser installed on your computer.

                              To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                              References



                              Remember - "A day without laughter is a day wasted."
                              May the wind sing to you and the sun rise in your heart...









                              Pale Moon 27.5.1 Released


                              Pale Moon
                              Pale Moon has been updated to Version 27.5.1. This is a security and stability update.

                              The security updates include DiD ("Defense-in-Depth") fixes.  This means that it is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

                              Details from the Release Notes:

                              Changes/fixes:
                              • Changed the default Windows 10 styling when no accent color is aplied to black-on-white.
                              • Changed the theme styling on Windows 10 when the system window frame is used (menu bar enabled) to use the window manager background directly, preventing visual lag updating the window color when it changes.
                              • Updated user agent overrides for DropBox, YouTube and Yahoo to work around user agent sniffing issues.
                              • Fixed a crash in the media subsystem.
                              • Fixed a regression where video playback hardware acceleration was disabled incorrectly on some systems.
                               Security fixes:
                              • Updated libhyphen to the latest upstream code to fix a security issue.
                              • Updated NSPR to 4.16-RTM with a patch to un-bust building on win64.
                              • Updated NSS to 3.32.1-RTM.
                              • Worked around some more issues with Mac fonts (CVE-2017-7825).
                              • Fixed a potential rooting hazard in NPAPI plugin code. DiD
                              • Fixed a potential reference issue in JavaScript arrays. DiD
                              Minimum system Requirements (Windows):
                              • Windows Vista/Windows 7/8/10/Server 2008 or later
                              • Windows Platform Update (Vista/7) strongly recommended
                              • A processor with SSE2 instruction support
                              • 256 MB of free RAM (512 MB or more recommended)
                              • At least 150 MB of free (uncompressed) disk space
                              Pale Moon includes both 32- and 64-bit versions for Windows:

                              Update

                              To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




                              Remember - "A day without laughter is a day wasted."
                              May the wind sing to you and the sun rise in your heart...


                              Monday, October 09, 2017

                              Mozlla Firefox Version 56.0.1 Released


                              FirefoxMozilla sent Firefox Version 56.0.1 to the release channel today.  The update includes one fix and the migration to 64-bit Firefox for users of the 32-bit version.  Note the unresolved issues!

                              Firefox ESR remains at version 52.4.0.

                              Fixed

                              • Block D3D11 when using Intel drivers on Windows 7 systems with partial AVX support (bug 1403353)

                              Changed

                              • Users of 32-bit Firefox on 64-bit Windows are migrated to 64-bit Firefox for increased stability and security.

                              Unresolved

                              • Due to a bug in Mac OS X High Sierra, fullscreen mode has some issues
                              • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
                              • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
                              • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

                              Update:

                              To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                              References




                              Remember - "A day without laughter is a day wasted."
                              May the wind sing to you and the sun rise in your heart...

                              Tuesday, October 03, 2017

                              Cycber Security Awareness Month


                              October is National Cyber Security Awareness Month (NCSAM).  The 2017 Cyber Security Awareness Month marks the seventh anniversary of the campaign.  It is also European Cyber Security Awareness Month (ECSM) https://cybersecuritymonth.eu/  and in Canada, https://www.getcybersafe.gc.ca/index-eng.aspx 

                                Stop | Think | Connect

                              With that in mind, consider the following suggestions not only during Cyber Security Awareness month but every day:

                                  Stop:  Before you click that formatted link in your email, search results or social media account, mouse over the link to ensure the URL matches the description.

                                  Think:  Whether it is email, Facebook, Twitter, an online forum or other online media, instead of spouting off the first reply that comes to mind when you disagree, think before you click the send button.  Remember that your online reputation can follow you in "real life".

                                  Connect:  When you connect to the Internet, ensure your device software as well as any apps or third-party software are up to date.

                              Each week, Malwarebytes Labs will focus on a theme and provide helpful articles, useful tips, and valuable analysis so that you can increase awareness and spread the word. This week’s theme: simple steps to online safety. The first:  National cybersecurity awareness month: simple steps to online safety | Malwarebytes Labs


                              Home
                              Remember - "A day without laughter is a day wasted."
                              May the wind sing to you and the sun rise in your heart...